BCS News - The risks of security

Many companies seem unaware of the risks they are taking in neglecting to regulate the training of IT security staff. Those that are aware of the issues have widely differing views on how to tackle them.

BCS security committee chairman Willie List said: 'My personal opinion is that there are a lot of bright young things who are good at stitching up networks, but what they are doing does not fit in with the security of the company. It is the normal IT communication problem plus a bit.'

Secure systems are bound by tight regulations and a strict need-to-know hierarchy. Yet security staff may be ill-regulated and poorly trained.

The BCS is working with bodies such as the CBI on ways of securing the security industry so that staff are not the chink in a company's armour.

There are moves to certify training companies offering courses in systems security under the soon-to-be revised BS7799, but it may be 18 months before such certification is available. In the meantime the BCS has responded to concerns about the security personnel issue by reissuing its Training Guidelines for IT Security, put together with the CBI.

List believes smaller companies are most affected by the failure to make sure that the security measures put in place by IT staff are workable and understood by other staff.

'They need to have an understanding of what people are likely to do - for example, when using passwords - but the problem is getting that through to a 25-year-old,' List says. 'It is that problem superimposed on the technical detail of how the system is stitched together and its manageability which creates huge people problems.'

'Training is needed for technical staff to instruct them in what businesses need, and business people need to be trained to understand what technical staff are trying to do and how they are doing it. The holier-than-thou IT department has got to learn that management works on a "Do what I do, not what I say" principle,' says List.

Security training is clearly in disarray. Impending certification is all very well, but as List points out: 'Certification is coming next January, but who will be the certifiers? And what will be the structure of courses? There are courses around run by all sorts of people associated with their products, but they may not be competent or useful.'

The original BS7799 has been around for more than three years, and was originally written by a group of security officers from companies including Shell and Unilever. It was a code of practice for security officers published by the DTI, and according to List it sold like hot cakes. Then the British Standards Institute turned it into the BS7799.

Since then, moves to develop the certification process have stalled. 'Getting the certification scheme worked out was more difficult than originally thought. Some people - and I am one - thought it was not sensible in the first place,' says List.

List claims there were difficulties from the beginning, because the title and content of the document did not coincide very well, and the BS document was difficult to certify against.

Perhaps more than any other IT area, training in security issues requires standards to work to, and List says the certification issue looks set to rumble on.

'A lot of organisations want to self-certify, and the standards committees are very agitated by this,' he says. The stand-off continues between commercial would-be self-certifiers who point to the Swift banking system as a good example of self-certification, and the regulations-minded standards bodies.

Yet as the scenario of small companies taking orders over the Internet moves closer to reality, the need for trained staff operating to certified standards takes on fresh impetus.